Amazon Disrupts APT29 Watering Hole Campaign, Exposing Sophisticated Phishing Tactics

Amazon’s threat intelligence team has disrupted a sophisticated phishing campaign orchestrated by the Russia-linked APT29 hacking group, which has been using compromised websites to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. The campaign, attributed to UNC6293, leveraged compromised legitimate websites to redirect approximately 10% of visitors to actor-controlled domains, mimicking Cloudflare verification pages to give an illusion of legitimacy.

According to Amazon’s Chief Information Security Officer CJ Moses, the campaign involved injecting JavaScript code onto legitimate websites, which then redirected victims to actor-controlled domains. Once on these domains, victims were tricked into entering a legitimate device code generated by the threat actor, effectively granting them access to their Microsoft accounts and data.

The APT29 group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Earth Koshchei, ICECAP, Midnight Blizzard, and The Dukes, has been linked to various phishing methods, including device code phishing and device join phishing, to obtain unauthorized access to Microsoft 365 accounts. The group has also been observed using malicious Remote Desktop Protocol (RDP) configuration files to target Ukrainian entities and exfiltrate sensitive data.

The group’s tactics have been particularly sophisticated, incorporating various evasion techniques such as Base64 encoding to conceal malicious code, setting cookies to prevent repeated redirects of the same visitor, and shifting to new infrastructure when blocked. This has made it challenging for security teams to detect and disrupt their operations.

Amazon’s intervention has disrupted the campaign, and the threat actor has been forced to migrate to new infrastructure, including a move off AWS to another cloud provider. However, researchers have warned that the group may continue to adapt and evolve their tactics, making it essential for users to remain vigilant and take steps to protect their accounts and data.

The incident highlights the ongoing threat posed by sophisticated hacking groups like APT29, which continue to evolve and adapt their tactics to evade detection and gain unauthorized access to sensitive information. The campaign also underscores the importance of robust security measures, including multi-factor authentication, regular software updates, and employee education, to prevent such attacks.

In related news, researchers have also warned of a new security vulnerability in the Sitecore Experience Platform, which has been linked to a cache poisoning and remote code execution exploit. This vulnerability has the potential to allow attackers to inject malicious code onto compromised websites, further highlighting the need for robust security measures to prevent such attacks.

As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive steps to protect their networks, systems, and data from sophisticated hacking groups like APT29.